2008-07-03 17:41:03 +04:00
|
|
|
/*
|
nbd/client: Add nbd_receive_export_list()
We want to be able to detect whether a given qemu NBD server is
exposing the right export(s) and dirty bitmaps, at least for
regression testing. We could use 'nbd-client -l' from the upstream
NBD project to list exports, but it's annoying to rely on
out-of-tree binaries; furthermore, nbd-client doesn't necessarily
know about all of the qemu NBD extensions. Thus, we plan on adding
a new mode to qemu-nbd that merely sniffs all possible information
from the server during handshake phase, then disconnects and dumps
the information.
This patch adds the low-level client code for grabbing the list
of exports. It benefits from the recent refactoring patches, in
order to share as much code as possible when it comes to doing
validation of server replies. The resulting information is stored
in an array of NBDExportInfo which has been expanded to any
description string, along with a convenience function for freeing
the list.
Note: a malicious server could exhaust memory of a client by feeding
an unending loop of exports; perhaps we should place a limit on how
many we are willing to receive. But note that a server could
reasonably be serving an export for every file in a large directory,
where an arbitrary limit in the client means we can't list anything
from such a server; the same happens if we just run until the client
fails to malloc() and thus dies by an abort(), where the limit is
no longer arbitrary but determined by available memory. Since the
client is already planning on being short-lived, it's hard to call
this a denial of service attack that would starve off other uses,
so it does not appear to be a security issue.
Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
Message-Id: <20190117193658.16413-18-eblake@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
2019-01-17 22:36:54 +03:00
|
|
|
* Copyright (C) 2016-2019 Red Hat, Inc.
|
2008-05-28 01:13:40 +04:00
|
|
|
* Copyright (C) 2005 Anthony Liguori <anthony@codemonkey.ws>
|
|
|
|
*
|
|
|
|
* Network Block Device
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
|
|
|
* the Free Software Foundation; under version 2 of the License.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License
|
2009-07-17 00:47:01 +04:00
|
|
|
* along with this program; if not, see <http://www.gnu.org/licenses/>.
|
2008-07-03 17:41:03 +04:00
|
|
|
*/
|
2008-05-28 01:13:40 +04:00
|
|
|
|
|
|
|
#ifndef NBD_H
|
|
|
|
#define NBD_H
|
|
|
|
|
2018-02-11 12:36:01 +03:00
|
|
|
#include "qapi/qapi-types-block.h"
|
2016-02-10 21:41:04 +03:00
|
|
|
#include "io/channel-socket.h"
|
2016-02-10 21:41:11 +03:00
|
|
|
#include "crypto/tlscreds.h"
|
2019-01-28 19:58:30 +03:00
|
|
|
#include "qapi/error.h"
|
2011-02-22 18:44:53 +03:00
|
|
|
|
2016-10-14 21:33:10 +03:00
|
|
|
/* Handshake phase structs - this struct is passed on the wire */
|
|
|
|
|
2017-11-22 13:19:57 +03:00
|
|
|
struct NBDOption {
|
2016-10-14 21:33:10 +03:00
|
|
|
uint64_t magic; /* NBD_OPTS_MAGIC */
|
|
|
|
uint32_t option; /* NBD_OPT_* */
|
|
|
|
uint32_t length;
|
|
|
|
} QEMU_PACKED;
|
2017-11-22 13:19:57 +03:00
|
|
|
typedef struct NBDOption NBDOption;
|
2016-10-14 21:33:10 +03:00
|
|
|
|
2017-11-22 13:19:57 +03:00
|
|
|
struct NBDOptionReply {
|
2016-10-14 21:33:10 +03:00
|
|
|
uint64_t magic; /* NBD_REP_MAGIC */
|
|
|
|
uint32_t option; /* NBD_OPT_* */
|
|
|
|
uint32_t type; /* NBD_REP_* */
|
|
|
|
uint32_t length;
|
|
|
|
} QEMU_PACKED;
|
2017-11-22 13:19:57 +03:00
|
|
|
typedef struct NBDOptionReply NBDOptionReply;
|
2016-10-14 21:33:10 +03:00
|
|
|
|
2018-02-26 19:26:25 +03:00
|
|
|
typedef struct NBDOptionReplyMetaContext {
|
|
|
|
NBDOptionReply h; /* h.type = NBD_REP_META_CONTEXT, h.length > 4 */
|
|
|
|
uint32_t context_id;
|
|
|
|
/* meta context name follows */
|
|
|
|
} QEMU_PACKED NBDOptionReplyMetaContext;
|
|
|
|
|
2016-10-14 21:33:10 +03:00
|
|
|
/* Transmission phase structs
|
|
|
|
*
|
|
|
|
* Note: these are _NOT_ the same as the network representation of an NBD
|
2016-06-13 12:42:40 +03:00
|
|
|
* request and reply!
|
|
|
|
*/
|
2016-10-14 21:33:07 +03:00
|
|
|
struct NBDRequest {
|
2008-07-03 17:41:03 +04:00
|
|
|
uint64_t handle;
|
|
|
|
uint64_t from;
|
|
|
|
uint32_t len;
|
2016-10-14 21:33:10 +03:00
|
|
|
uint16_t flags; /* NBD_CMD_FLAG_* */
|
|
|
|
uint16_t type; /* NBD_CMD_* */
|
2016-06-13 12:42:40 +03:00
|
|
|
};
|
2016-10-14 21:33:07 +03:00
|
|
|
typedef struct NBDRequest NBDRequest;
|
2008-07-03 17:41:03 +04:00
|
|
|
|
2017-10-12 12:53:10 +03:00
|
|
|
typedef struct NBDSimpleReply {
|
|
|
|
uint32_t magic; /* NBD_SIMPLE_REPLY_MAGIC */
|
|
|
|
uint32_t error;
|
|
|
|
uint64_t handle;
|
|
|
|
} QEMU_PACKED NBDSimpleReply;
|
|
|
|
|
2017-10-27 13:40:28 +03:00
|
|
|
/* Header of all structured replies */
|
|
|
|
typedef struct NBDStructuredReplyChunk {
|
|
|
|
uint32_t magic; /* NBD_STRUCTURED_REPLY_MAGIC */
|
|
|
|
uint16_t flags; /* combination of NBD_REPLY_FLAG_* */
|
|
|
|
uint16_t type; /* NBD_REPLY_TYPE_* */
|
|
|
|
uint64_t handle; /* request handle */
|
|
|
|
uint32_t length; /* length of payload */
|
|
|
|
} QEMU_PACKED NBDStructuredReplyChunk;
|
|
|
|
|
2017-10-27 13:40:35 +03:00
|
|
|
typedef union NBDReply {
|
|
|
|
NBDSimpleReply simple;
|
|
|
|
NBDStructuredReplyChunk structured;
|
|
|
|
struct {
|
|
|
|
/* @magic and @handle fields have the same offset and size both in
|
|
|
|
* simple reply and structured reply chunk, so let them be accessible
|
|
|
|
* without ".simple." or ".structured." specification
|
|
|
|
*/
|
|
|
|
uint32_t magic;
|
|
|
|
uint32_t _skip;
|
|
|
|
uint64_t handle;
|
|
|
|
} QEMU_PACKED;
|
|
|
|
} NBDReply;
|
|
|
|
|
2017-11-09 00:57:00 +03:00
|
|
|
/* Header of chunk for NBD_REPLY_TYPE_OFFSET_DATA */
|
|
|
|
typedef struct NBDStructuredReadData {
|
|
|
|
NBDStructuredReplyChunk h; /* h.length >= 9 */
|
2017-10-27 13:40:28 +03:00
|
|
|
uint64_t offset;
|
2017-11-09 00:57:00 +03:00
|
|
|
/* At least one byte of data payload follows, calculated from h.length */
|
|
|
|
} QEMU_PACKED NBDStructuredReadData;
|
|
|
|
|
|
|
|
/* Complete chunk for NBD_REPLY_TYPE_OFFSET_HOLE */
|
|
|
|
typedef struct NBDStructuredReadHole {
|
|
|
|
NBDStructuredReplyChunk h; /* h.length == 12 */
|
|
|
|
uint64_t offset;
|
|
|
|
uint32_t length;
|
|
|
|
} QEMU_PACKED NBDStructuredReadHole;
|
2017-10-27 13:40:28 +03:00
|
|
|
|
|
|
|
/* Header of all NBD_REPLY_TYPE_ERROR* errors */
|
|
|
|
typedef struct NBDStructuredError {
|
2017-11-09 00:57:00 +03:00
|
|
|
NBDStructuredReplyChunk h; /* h.length >= 6 */
|
2017-10-27 13:40:28 +03:00
|
|
|
uint32_t error;
|
|
|
|
uint16_t message_length;
|
|
|
|
} QEMU_PACKED NBDStructuredError;
|
|
|
|
|
2018-02-26 19:26:25 +03:00
|
|
|
/* Header of NBD_REPLY_TYPE_BLOCK_STATUS */
|
|
|
|
typedef struct NBDStructuredMeta {
|
|
|
|
NBDStructuredReplyChunk h; /* h.length >= 12 (at least one extent) */
|
|
|
|
uint32_t context_id;
|
|
|
|
/* extents follows */
|
|
|
|
} QEMU_PACKED NBDStructuredMeta;
|
|
|
|
|
|
|
|
/* Extent chunk for NBD_REPLY_TYPE_BLOCK_STATUS */
|
|
|
|
typedef struct NBDExtent {
|
|
|
|
uint32_t length;
|
|
|
|
uint32_t flags; /* NBD_STATE_* */
|
|
|
|
} QEMU_PACKED NBDExtent;
|
|
|
|
|
2016-10-14 21:33:04 +03:00
|
|
|
/* Transmission (export) flags: sent from server to client during handshake,
|
|
|
|
but describe what will happen during transmission */
|
2017-10-12 12:53:14 +03:00
|
|
|
#define NBD_FLAG_HAS_FLAGS (1 << 0) /* Flags are there */
|
|
|
|
#define NBD_FLAG_READ_ONLY (1 << 1) /* Device is read-only */
|
|
|
|
#define NBD_FLAG_SEND_FLUSH (1 << 2) /* Send FLUSH */
|
|
|
|
#define NBD_FLAG_SEND_FUA (1 << 3) /* Send FUA (Force Unit Access) */
|
|
|
|
#define NBD_FLAG_ROTATIONAL (1 << 4) /* Use elevator algorithm -
|
|
|
|
rotational media */
|
|
|
|
#define NBD_FLAG_SEND_TRIM (1 << 5) /* Send TRIM (discard) */
|
|
|
|
#define NBD_FLAG_SEND_WRITE_ZEROES (1 << 6) /* Send WRITE_ZEROES */
|
2017-10-27 13:40:28 +03:00
|
|
|
#define NBD_FLAG_SEND_DF (1 << 7) /* Send DF (Do not Fragment) */
|
nbd: fix NBD_FLAG_SEND_CACHE value
Commit bc37b06a5 added NBD_CMD_CACHE support, but used the wrong value
for NBD_FLAG_SEND_CACHE flag for negotiation. That commit picked bit 8,
which had already been assigned by the NBD specification to mean
NBD_FLAG_CAN_MULTI_CONN, and which was already implemented in the
Linux kernel as a part of stable userspace-kernel API since 4.10:
"bit 8, NBD_FLAG_CAN_MULTI_CONN: Indicates that the server operates
entirely without cache, or that the cache it uses is shared among all
connections to the given device. In particular, if this flag is
present, then the effects of NBD_CMD_FLUSH and NBD_CMD_FLAG_FUA
MUST be visible across all connections when the server sends its reply
to that command to the client. In the absense of this flag, clients
SHOULD NOT multiplex their commands over more than one connection to
the export.
...
bit 10, NBD_FLAG_SEND_CACHE: documents that the server understands
NBD_CMD_CACHE; however, note that server implementations exist
which support the command without advertising this bit, and
conversely that this bit does not guarantee that the command will
succeed or have an impact."
Consequences:
- a client trying to use NBD_CMD_CACHE per the NBD spec will not
see the feature as available from a qemu 3.0 server (not fatal,
clients already have to be prepared for caching to not exist)
- a client accidentally coded to the qemu 3.0 bit value instead
of following the spec may interpret NBD_CMD_CACHE as being available
when it is not (probably not fatal, the spec says the server should
gracefully fail unknown commands, and that clients of NBD_CMD_CACHE
should be prepared for failure even when the feature is advertised);
such clients are unlikely (perhaps only in unreleased Virtuozzo code),
and will disappear over time
- a client prepared to use multiple connections based on
NBD_FLAG_CAN_MULTI_CONN may cause data corruption when it assumes
that caching is consistent when in reality qemu 3.0 did not have
a consistent cache. Partially mitigated by using read-only
connections (where nothing needs to be flushed, so caching is
indeed consistent) or when using qemu-nbd with the default -e 1
(at most one client at a time); visible only when using -e 2 or
more for a writable export.
Thus the commit fixes negotiation flag in QEMU according to the
specification.
Signed-off-by: Denis V. Lunev <den@openvz.org>
CC: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
CC: Valery Vdovin <valery.vdovin@acronis.com>
CC: Eric Blake <eblake@redhat.com>
CC: Paolo Bonzini <pbonzini@redhat.com>
CC: qemu-stable@nongnu.org
Message-Id: <20181004100313.4253-1-den@openvz.org>
Reviewed-by: Eric Blake <eblake@redhat.com>
[eblake: enhance commit message, add defines for unimplemented flags]
Signed-off-by: Eric Blake <eblake@redhat.com>
2018-10-04 13:03:13 +03:00
|
|
|
#define NBD_FLAG_CAN_MULTI_CONN (1 << 8) /* Multi-client cache consistent */
|
|
|
|
#define NBD_FLAG_SEND_RESIZE (1 << 9) /* Send resize */
|
|
|
|
#define NBD_FLAG_SEND_CACHE (1 << 10) /* Send CACHE (prefetch) */
|
2011-09-08 19:24:55 +04:00
|
|
|
|
2016-10-14 21:33:04 +03:00
|
|
|
/* New-style handshake (global) flags, sent from server to client, and
|
|
|
|
control what will happen during handshake phase. */
|
2016-10-14 21:33:14 +03:00
|
|
|
#define NBD_FLAG_FIXED_NEWSTYLE (1 << 0) /* Fixed newstyle protocol. */
|
|
|
|
#define NBD_FLAG_NO_ZEROES (1 << 1) /* End handshake without zeroes. */
|
2014-06-07 04:32:31 +04:00
|
|
|
|
2016-10-14 21:33:04 +03:00
|
|
|
/* New-style client flags, sent from client to server to control what happens
|
|
|
|
during handshake phase. */
|
2016-10-14 21:33:14 +03:00
|
|
|
#define NBD_FLAG_C_FIXED_NEWSTYLE (1 << 0) /* Fixed newstyle protocol. */
|
|
|
|
#define NBD_FLAG_C_NO_ZEROES (1 << 1) /* End handshake without zeroes. */
|
2014-06-07 04:32:31 +04:00
|
|
|
|
2017-07-07 23:30:43 +03:00
|
|
|
/* Option requests. */
|
2018-02-15 16:51:40 +03:00
|
|
|
#define NBD_OPT_EXPORT_NAME (1)
|
|
|
|
#define NBD_OPT_ABORT (2)
|
|
|
|
#define NBD_OPT_LIST (3)
|
|
|
|
/* #define NBD_OPT_PEEK_EXPORT (4) not in use */
|
|
|
|
#define NBD_OPT_STARTTLS (5)
|
|
|
|
#define NBD_OPT_INFO (6)
|
|
|
|
#define NBD_OPT_GO (7)
|
|
|
|
#define NBD_OPT_STRUCTURED_REPLY (8)
|
2018-02-26 19:26:25 +03:00
|
|
|
#define NBD_OPT_LIST_META_CONTEXT (9)
|
|
|
|
#define NBD_OPT_SET_META_CONTEXT (10)
|
2017-07-07 23:30:43 +03:00
|
|
|
|
|
|
|
/* Option reply types. */
|
2016-10-14 21:33:16 +03:00
|
|
|
#define NBD_REP_ERR(value) ((UINT32_C(1) << 31) | (value))
|
|
|
|
|
2018-02-15 16:51:40 +03:00
|
|
|
#define NBD_REP_ACK (1) /* Data sending finished. */
|
|
|
|
#define NBD_REP_SERVER (2) /* Export description. */
|
|
|
|
#define NBD_REP_INFO (3) /* NBD_OPT_INFO/GO. */
|
2018-02-26 19:26:25 +03:00
|
|
|
#define NBD_REP_META_CONTEXT (4) /* NBD_OPT_{LIST,SET}_META_CONTEXT */
|
2017-07-07 23:30:43 +03:00
|
|
|
|
|
|
|
#define NBD_REP_ERR_UNSUP NBD_REP_ERR(1) /* Unknown option */
|
|
|
|
#define NBD_REP_ERR_POLICY NBD_REP_ERR(2) /* Server denied */
|
|
|
|
#define NBD_REP_ERR_INVALID NBD_REP_ERR(3) /* Invalid length */
|
|
|
|
#define NBD_REP_ERR_PLATFORM NBD_REP_ERR(4) /* Not compiled in */
|
|
|
|
#define NBD_REP_ERR_TLS_REQD NBD_REP_ERR(5) /* TLS required */
|
|
|
|
#define NBD_REP_ERR_UNKNOWN NBD_REP_ERR(6) /* Export unknown */
|
|
|
|
#define NBD_REP_ERR_SHUTDOWN NBD_REP_ERR(7) /* Server shutting down */
|
|
|
|
#define NBD_REP_ERR_BLOCK_SIZE_REQD NBD_REP_ERR(8) /* Need INFO_BLOCK_SIZE */
|
|
|
|
|
|
|
|
/* Info types, used during NBD_REP_INFO */
|
|
|
|
#define NBD_INFO_EXPORT 0
|
|
|
|
#define NBD_INFO_NAME 1
|
|
|
|
#define NBD_INFO_DESCRIPTION 2
|
|
|
|
#define NBD_INFO_BLOCK_SIZE 3
|
2016-02-10 21:41:11 +03:00
|
|
|
|
2016-10-14 21:33:04 +03:00
|
|
|
/* Request flags, sent from client to server during transmission phase */
|
2016-10-14 21:33:17 +03:00
|
|
|
#define NBD_CMD_FLAG_FUA (1 << 0) /* 'force unit access' during write */
|
|
|
|
#define NBD_CMD_FLAG_NO_HOLE (1 << 1) /* don't punch hole on zero run */
|
2017-10-27 13:40:28 +03:00
|
|
|
#define NBD_CMD_FLAG_DF (1 << 2) /* don't fragment structured read */
|
2018-02-26 19:26:25 +03:00
|
|
|
#define NBD_CMD_FLAG_REQ_ONE (1 << 3) /* only one extent in BLOCK_STATUS
|
|
|
|
* reply chunk */
|
2014-06-07 04:32:31 +04:00
|
|
|
|
2016-10-14 21:33:04 +03:00
|
|
|
/* Supported request types */
|
2008-07-03 17:41:03 +04:00
|
|
|
enum {
|
|
|
|
NBD_CMD_READ = 0,
|
|
|
|
NBD_CMD_WRITE = 1,
|
2011-09-08 19:24:55 +04:00
|
|
|
NBD_CMD_DISC = 2,
|
|
|
|
NBD_CMD_FLUSH = 3,
|
2016-10-14 21:33:17 +03:00
|
|
|
NBD_CMD_TRIM = 4,
|
2018-04-13 17:31:56 +03:00
|
|
|
NBD_CMD_CACHE = 5,
|
2016-10-14 21:33:17 +03:00
|
|
|
NBD_CMD_WRITE_ZEROES = 6,
|
2018-02-26 19:26:25 +03:00
|
|
|
NBD_CMD_BLOCK_STATUS = 7,
|
2008-07-03 17:41:03 +04:00
|
|
|
};
|
|
|
|
|
2010-08-26 00:48:33 +04:00
|
|
|
#define NBD_DEFAULT_PORT 10809
|
|
|
|
|
2013-05-02 16:23:08 +04:00
|
|
|
/* Maximum size of a single READ/WRITE data buffer */
|
|
|
|
#define NBD_MAX_BUFFER_SIZE (32 * 1024 * 1024)
|
2016-06-24 01:37:08 +03:00
|
|
|
|
2016-05-12 01:39:44 +03:00
|
|
|
/* Maximum size of an export name. The NBD spec requires 256 and
|
|
|
|
* suggests that servers support up to 4096, but we stick to only the
|
|
|
|
* required size so that we can stack-allocate the names, and because
|
|
|
|
* going larger would require an audit of more code to make sure we
|
|
|
|
* aren't overflowing some other buffer. */
|
|
|
|
#define NBD_MAX_NAME_SIZE 256
|
2011-10-07 16:35:58 +04:00
|
|
|
|
2017-10-27 13:40:28 +03:00
|
|
|
/* Two types of reply structures */
|
|
|
|
#define NBD_SIMPLE_REPLY_MAGIC 0x67446698
|
|
|
|
#define NBD_STRUCTURED_REPLY_MAGIC 0x668e33ef
|
|
|
|
|
|
|
|
/* Structured reply flags */
|
|
|
|
#define NBD_REPLY_FLAG_DONE (1 << 0) /* This reply-chunk is last */
|
|
|
|
|
|
|
|
/* Structured reply types */
|
|
|
|
#define NBD_REPLY_ERR(value) ((1 << 15) | (value))
|
|
|
|
|
|
|
|
#define NBD_REPLY_TYPE_NONE 0
|
|
|
|
#define NBD_REPLY_TYPE_OFFSET_DATA 1
|
|
|
|
#define NBD_REPLY_TYPE_OFFSET_HOLE 2
|
2018-02-26 19:26:25 +03:00
|
|
|
#define NBD_REPLY_TYPE_BLOCK_STATUS 5
|
2017-10-27 13:40:28 +03:00
|
|
|
#define NBD_REPLY_TYPE_ERROR NBD_REPLY_ERR(1)
|
|
|
|
#define NBD_REPLY_TYPE_ERROR_OFFSET NBD_REPLY_ERR(2)
|
|
|
|
|
2018-06-09 18:17:56 +03:00
|
|
|
/* Extent flags for base:allocation in NBD_REPLY_TYPE_BLOCK_STATUS */
|
2018-02-26 19:26:25 +03:00
|
|
|
#define NBD_STATE_HOLE (1 << 0)
|
|
|
|
#define NBD_STATE_ZERO (1 << 1)
|
|
|
|
|
2018-06-09 18:17:56 +03:00
|
|
|
/* Extent flags for qemu:dirty-bitmap in NBD_REPLY_TYPE_BLOCK_STATUS */
|
|
|
|
#define NBD_STATE_DIRTY (1 << 0)
|
|
|
|
|
2017-10-27 13:40:37 +03:00
|
|
|
static inline bool nbd_reply_type_is_error(int type)
|
|
|
|
{
|
|
|
|
return type & (1 << 15);
|
|
|
|
}
|
|
|
|
|
2017-10-27 13:40:27 +03:00
|
|
|
/* NBD errors are based on errno numbers, so there is a 1:1 mapping,
|
|
|
|
* but only a limited set of errno values is specified in the protocol.
|
|
|
|
* Everything else is squashed to EINVAL.
|
|
|
|
*/
|
|
|
|
#define NBD_SUCCESS 0
|
|
|
|
#define NBD_EPERM 1
|
|
|
|
#define NBD_EIO 5
|
|
|
|
#define NBD_ENOMEM 12
|
|
|
|
#define NBD_EINVAL 22
|
|
|
|
#define NBD_ENOSPC 28
|
2017-10-27 13:40:28 +03:00
|
|
|
#define NBD_EOVERFLOW 75
|
2017-10-27 13:40:27 +03:00
|
|
|
#define NBD_ESHUTDOWN 108
|
|
|
|
|
2017-07-07 23:30:41 +03:00
|
|
|
/* Details collected by NBD_OPT_EXPORT_NAME and NBD_OPT_GO */
|
|
|
|
struct NBDExportInfo {
|
nbd: Implement NBD_INFO_BLOCK_SIZE on client
The upstream NBD Protocol has defined a new extension to allow
the server to advertise block sizes to the client, as well as
a way for the client to inform the server whether it intends to
obey block sizes.
When using the block layer as the client, we will obey block
sizes; but when used as 'qemu-nbd -c' to hand off to the
kernel nbd module as the client, we are still waiting for the
kernel to implement a way for us to learn if it will honor
block sizes (perhaps by an addition to sysfs, rather than an
ioctl), as well as any way to tell the kernel what additional
block sizes to obey (NBD_SET_BLKSIZE appears to be accurate
for the minimum size, but preferred and maximum sizes would
probably be new ioctl()s), so until then, we need to make our
request for block sizes conditional.
When using ioctl(NBD_SET_BLKSIZE) to hand off to the kernel,
use the minimum block size as the sector size if it is larger
than 512, which also has the nice effect of cooperating with
(non-qemu) servers that don't do read-modify-write when
exposing a block device with 4k sectors; it might also allow
us to visit a file larger than 2T on a 32-bit kernel.
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20170707203049.534-10-eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-07-07 23:30:49 +03:00
|
|
|
/* Set by client before nbd_receive_negotiate() */
|
|
|
|
bool request_sizes;
|
2018-07-02 22:14:57 +03:00
|
|
|
char *x_dirty_bitmap;
|
nbd/client: Add nbd_receive_export_list()
We want to be able to detect whether a given qemu NBD server is
exposing the right export(s) and dirty bitmaps, at least for
regression testing. We could use 'nbd-client -l' from the upstream
NBD project to list exports, but it's annoying to rely on
out-of-tree binaries; furthermore, nbd-client doesn't necessarily
know about all of the qemu NBD extensions. Thus, we plan on adding
a new mode to qemu-nbd that merely sniffs all possible information
from the server during handshake phase, then disconnects and dumps
the information.
This patch adds the low-level client code for grabbing the list
of exports. It benefits from the recent refactoring patches, in
order to share as much code as possible when it comes to doing
validation of server replies. The resulting information is stored
in an array of NBDExportInfo which has been expanded to any
description string, along with a convenience function for freeing
the list.
Note: a malicious server could exhaust memory of a client by feeding
an unending loop of exports; perhaps we should place a limit on how
many we are willing to receive. But note that a server could
reasonably be serving an export for every file in a large directory,
where an arbitrary limit in the client means we can't list anything
from such a server; the same happens if we just run until the client
fails to malloc() and thus dies by an abort(), where the limit is
no longer arbitrary but determined by available memory. Since the
client is already planning on being short-lived, it's hard to call
this a denial of service attack that would starve off other uses,
so it does not appear to be a security issue.
Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
Message-Id: <20190117193658.16413-18-eblake@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
2019-01-17 22:36:54 +03:00
|
|
|
|
|
|
|
/* Set by client before nbd_receive_negotiate(), or by server results
|
|
|
|
* during nbd_receive_export_list() */
|
2019-01-17 22:36:46 +03:00
|
|
|
char *name; /* must be non-NULL */
|
2017-10-27 13:40:37 +03:00
|
|
|
|
|
|
|
/* In-out fields, set by client before nbd_receive_negotiate() and
|
|
|
|
* updated by server results during nbd_receive_negotiate() */
|
|
|
|
bool structured_reply;
|
2018-03-12 18:21:23 +03:00
|
|
|
bool base_allocation; /* base:allocation context for NBD_CMD_BLOCK_STATUS */
|
2017-10-27 13:40:37 +03:00
|
|
|
|
nbd/client: Add nbd_receive_export_list()
We want to be able to detect whether a given qemu NBD server is
exposing the right export(s) and dirty bitmaps, at least for
regression testing. We could use 'nbd-client -l' from the upstream
NBD project to list exports, but it's annoying to rely on
out-of-tree binaries; furthermore, nbd-client doesn't necessarily
know about all of the qemu NBD extensions. Thus, we plan on adding
a new mode to qemu-nbd that merely sniffs all possible information
from the server during handshake phase, then disconnects and dumps
the information.
This patch adds the low-level client code for grabbing the list
of exports. It benefits from the recent refactoring patches, in
order to share as much code as possible when it comes to doing
validation of server replies. The resulting information is stored
in an array of NBDExportInfo which has been expanded to any
description string, along with a convenience function for freeing
the list.
Note: a malicious server could exhaust memory of a client by feeding
an unending loop of exports; perhaps we should place a limit on how
many we are willing to receive. But note that a server could
reasonably be serving an export for every file in a large directory,
where an arbitrary limit in the client means we can't list anything
from such a server; the same happens if we just run until the client
fails to malloc() and thus dies by an abort(), where the limit is
no longer arbitrary but determined by available memory. Since the
client is already planning on being short-lived, it's hard to call
this a denial of service attack that would starve off other uses,
so it does not appear to be a security issue.
Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
Message-Id: <20190117193658.16413-18-eblake@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
2019-01-17 22:36:54 +03:00
|
|
|
/* Set by server results during nbd_receive_negotiate() and
|
|
|
|
* nbd_receive_export_list() */
|
2017-07-07 23:30:41 +03:00
|
|
|
uint64_t size;
|
|
|
|
uint16_t flags;
|
nbd: Implement NBD_INFO_BLOCK_SIZE on client
The upstream NBD Protocol has defined a new extension to allow
the server to advertise block sizes to the client, as well as
a way for the client to inform the server whether it intends to
obey block sizes.
When using the block layer as the client, we will obey block
sizes; but when used as 'qemu-nbd -c' to hand off to the
kernel nbd module as the client, we are still waiting for the
kernel to implement a way for us to learn if it will honor
block sizes (perhaps by an addition to sysfs, rather than an
ioctl), as well as any way to tell the kernel what additional
block sizes to obey (NBD_SET_BLKSIZE appears to be accurate
for the minimum size, but preferred and maximum sizes would
probably be new ioctl()s), so until then, we need to make our
request for block sizes conditional.
When using ioctl(NBD_SET_BLKSIZE) to hand off to the kernel,
use the minimum block size as the sector size if it is larger
than 512, which also has the nice effect of cooperating with
(non-qemu) servers that don't do read-modify-write when
exposing a block device with 4k sectors; it might also allow
us to visit a file larger than 2T on a 32-bit kernel.
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20170707203049.534-10-eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-07-07 23:30:49 +03:00
|
|
|
uint32_t min_block;
|
|
|
|
uint32_t opt_block;
|
|
|
|
uint32_t max_block;
|
2018-03-12 18:21:23 +03:00
|
|
|
|
2019-01-17 22:36:47 +03:00
|
|
|
uint32_t context_id;
|
nbd/client: Add nbd_receive_export_list()
We want to be able to detect whether a given qemu NBD server is
exposing the right export(s) and dirty bitmaps, at least for
regression testing. We could use 'nbd-client -l' from the upstream
NBD project to list exports, but it's annoying to rely on
out-of-tree binaries; furthermore, nbd-client doesn't necessarily
know about all of the qemu NBD extensions. Thus, we plan on adding
a new mode to qemu-nbd that merely sniffs all possible information
from the server during handshake phase, then disconnects and dumps
the information.
This patch adds the low-level client code for grabbing the list
of exports. It benefits from the recent refactoring patches, in
order to share as much code as possible when it comes to doing
validation of server replies. The resulting information is stored
in an array of NBDExportInfo which has been expanded to any
description string, along with a convenience function for freeing
the list.
Note: a malicious server could exhaust memory of a client by feeding
an unending loop of exports; perhaps we should place a limit on how
many we are willing to receive. But note that a server could
reasonably be serving an export for every file in a large directory,
where an arbitrary limit in the client means we can't list anything
from such a server; the same happens if we just run until the client
fails to malloc() and thus dies by an abort(), where the limit is
no longer arbitrary but determined by available memory. Since the
client is already planning on being short-lived, it's hard to call
this a denial of service attack that would starve off other uses,
so it does not appear to be a security issue.
Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
Message-Id: <20190117193658.16413-18-eblake@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
2019-01-17 22:36:54 +03:00
|
|
|
|
|
|
|
/* Set by server results during nbd_receive_export_list() */
|
|
|
|
char *description;
|
2019-01-17 22:36:55 +03:00
|
|
|
int n_contexts;
|
|
|
|
char **contexts;
|
2017-07-07 23:30:41 +03:00
|
|
|
};
|
|
|
|
typedef struct NBDExportInfo NBDExportInfo;
|
|
|
|
|
2019-01-17 22:36:46 +03:00
|
|
|
int nbd_receive_negotiate(QIOChannel *ioc, QCryptoTLSCreds *tlscreds,
|
|
|
|
const char *hostname, QIOChannel **outioc,
|
|
|
|
NBDExportInfo *info, Error **errp);
|
nbd/client: Add nbd_receive_export_list()
We want to be able to detect whether a given qemu NBD server is
exposing the right export(s) and dirty bitmaps, at least for
regression testing. We could use 'nbd-client -l' from the upstream
NBD project to list exports, but it's annoying to rely on
out-of-tree binaries; furthermore, nbd-client doesn't necessarily
know about all of the qemu NBD extensions. Thus, we plan on adding
a new mode to qemu-nbd that merely sniffs all possible information
from the server during handshake phase, then disconnects and dumps
the information.
This patch adds the low-level client code for grabbing the list
of exports. It benefits from the recent refactoring patches, in
order to share as much code as possible when it comes to doing
validation of server replies. The resulting information is stored
in an array of NBDExportInfo which has been expanded to any
description string, along with a convenience function for freeing
the list.
Note: a malicious server could exhaust memory of a client by feeding
an unending loop of exports; perhaps we should place a limit on how
many we are willing to receive. But note that a server could
reasonably be serving an export for every file in a large directory,
where an arbitrary limit in the client means we can't list anything
from such a server; the same happens if we just run until the client
fails to malloc() and thus dies by an abort(), where the limit is
no longer arbitrary but determined by available memory. Since the
client is already planning on being short-lived, it's hard to call
this a denial of service attack that would starve off other uses,
so it does not appear to be a security issue.
Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Richard W.M. Jones <rjones@redhat.com>
Message-Id: <20190117193658.16413-18-eblake@redhat.com>
Reviewed-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com>
2019-01-17 22:36:54 +03:00
|
|
|
void nbd_free_export_list(NBDExportInfo *info, int count);
|
|
|
|
int nbd_receive_export_list(QIOChannel *ioc, QCryptoTLSCreds *tlscreds,
|
|
|
|
const char *hostname, NBDExportInfo **info,
|
|
|
|
Error **errp);
|
2017-07-07 23:30:41 +03:00
|
|
|
int nbd_init(int fd, QIOChannelSocket *sioc, NBDExportInfo *info,
|
2017-05-26 14:09:13 +03:00
|
|
|
Error **errp);
|
2017-08-04 18:14:27 +03:00
|
|
|
int nbd_send_request(QIOChannel *ioc, NBDRequest *request);
|
2019-02-18 16:56:01 +03:00
|
|
|
int coroutine_fn nbd_receive_reply(BlockDriverState *bs, QIOChannel *ioc,
|
|
|
|
NBDReply *reply, Error **errp);
|
2010-08-31 11:30:33 +04:00
|
|
|
int nbd_client(int fd);
|
2008-05-28 01:13:40 +04:00
|
|
|
int nbd_disconnect(int fd);
|
2017-10-27 13:40:27 +03:00
|
|
|
int nbd_errno_to_system_errno(int err);
|
2008-05-28 01:13:40 +04:00
|
|
|
|
2011-09-19 16:03:37 +04:00
|
|
|
typedef struct NBDExport NBDExport;
|
2011-09-19 16:33:23 +04:00
|
|
|
typedef struct NBDClient NBDClient;
|
2011-09-19 16:03:37 +04:00
|
|
|
|
2019-01-17 22:36:43 +03:00
|
|
|
NBDExport *nbd_export_new(BlockDriverState *bs, uint64_t dev_offset,
|
|
|
|
uint64_t size, const char *name, const char *desc,
|
2019-01-11 22:47:19 +03:00
|
|
|
const char *bitmap, uint16_t nbdflags,
|
|
|
|
void (*close)(NBDExport *), bool writethrough,
|
|
|
|
BlockBackend *on_eject_blk, Error **errp);
|
2011-09-19 16:03:37 +04:00
|
|
|
void nbd_export_close(NBDExport *exp);
|
2018-01-19 16:57:16 +03:00
|
|
|
void nbd_export_remove(NBDExport *exp, NbdServerRemoveMode mode, Error **errp);
|
2012-09-18 15:26:25 +04:00
|
|
|
void nbd_export_get(NBDExport *exp);
|
|
|
|
void nbd_export_put(NBDExport *exp);
|
2012-09-18 15:17:52 +04:00
|
|
|
|
2014-11-18 14:21:17 +03:00
|
|
|
BlockBackend *nbd_export_get_blockdev(NBDExport *exp);
|
2012-09-18 16:31:44 +04:00
|
|
|
|
2012-08-22 17:59:23 +04:00
|
|
|
NBDExport *nbd_export_find(const char *name);
|
|
|
|
void nbd_export_close_all(void);
|
|
|
|
|
2018-10-03 20:02:28 +03:00
|
|
|
void nbd_client_new(QIOChannelSocket *sioc,
|
2016-02-10 21:41:11 +03:00
|
|
|
QCryptoTLSCreds *tlscreds,
|
|
|
|
const char *tlsaclname,
|
nbd: Fix regression on resiliency to port scan
Back in qemu 2.5, qemu-nbd was immune to port probes (a transient
server would not quit, regardless of how many probe connections
came and went, until a connection actually negotiated). But we
broke that in commit ee7d7aa when removing the return value to
nbd_client_new(), although that patch also introduced a bug causing
an assertion failure on a client that fails negotiation. We then
made it worse during refactoring in commit 1a6245a (a segfault
before we could even assert); the (masked) assertion was cleaned
up in d3780c2 (still in 2.6), and just recently we finally fixed
the segfault ("nbd: Fully intialize client in case of failed
negotiation"). But that still means that ever since we added
TLS support to qemu-nbd, we have been vulnerable to an ill-timed
port-scan being able to cause a denial of service by taking down
qemu-nbd before a real client has a chance to connect.
Since negotiation is now handled asynchronously via coroutines,
we no longer have a synchronous point of return by re-adding a
return value to nbd_client_new(). So this patch instead wires
things up to pass the negotiation status through the close_fn
callback function.
Simple test across two terminals:
$ qemu-nbd -f raw -p 30001 file
$ nmap 127.0.0.1 -p 30001 && \
qemu-io -c 'r 0 512' -f raw nbd://localhost:30001
Note that this patch does not change what constitutes successful
negotiation (thus, a client must enter transmission phase before
that client can be considered as a reason to terminate the server
when the connection ends). Perhaps we may want to tweak things
in a later patch to also treat a client that uses NBD_OPT_ABORT
as being a 'successful' negotiation (the client correctly talked
the NBD protocol, and informed us it was not going to use our
export after all), but that's a discussion for another day.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1451614
Signed-off-by: Eric Blake <eblake@redhat.com>
Message-Id: <20170608222617.20376-1-eblake@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-06-09 01:26:17 +03:00
|
|
|
void (*close_fn)(NBDClient *, bool));
|
2012-09-18 15:17:52 +04:00
|
|
|
void nbd_client_get(NBDClient *client);
|
|
|
|
void nbd_client_put(NBDClient *client);
|
2011-09-19 16:03:37 +04:00
|
|
|
|
2017-04-26 10:36:41 +03:00
|
|
|
void nbd_server_start(SocketAddress *addr, const char *tls_creds,
|
|
|
|
Error **errp);
|
|
|
|
|
2017-10-27 13:40:36 +03:00
|
|
|
/* nbd_read
|
|
|
|
* Reads @size bytes from @ioc. Returns 0 on success.
|
|
|
|
*/
|
|
|
|
static inline int nbd_read(QIOChannel *ioc, void *buffer, size_t size,
|
2019-01-28 19:58:30 +03:00
|
|
|
const char *desc, Error **errp)
|
2017-10-27 13:40:36 +03:00
|
|
|
{
|
2019-01-28 19:58:30 +03:00
|
|
|
int ret = qio_channel_read_all(ioc, buffer, size, errp) < 0 ? -EIO : 0;
|
|
|
|
|
|
|
|
if (ret < 0) {
|
|
|
|
if (desc) {
|
|
|
|
error_prepend(errp, "Failed to read %s: ", desc);
|
|
|
|
}
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
#define DEF_NBD_READ_N(bits) \
|
|
|
|
static inline int nbd_read##bits(QIOChannel *ioc, \
|
|
|
|
uint##bits##_t *val, \
|
|
|
|
const char *desc, Error **errp) \
|
|
|
|
{ \
|
|
|
|
if (nbd_read(ioc, val, sizeof(*val), desc, errp) < 0) { \
|
|
|
|
return -1; \
|
|
|
|
} \
|
|
|
|
*val = be##bits##_to_cpu(*val); \
|
|
|
|
return 0; \
|
2017-10-27 13:40:36 +03:00
|
|
|
}
|
|
|
|
|
2019-01-28 19:58:30 +03:00
|
|
|
DEF_NBD_READ_N(16) /* Defines nbd_read16(). */
|
|
|
|
DEF_NBD_READ_N(32) /* Defines nbd_read32(). */
|
|
|
|
DEF_NBD_READ_N(64) /* Defines nbd_read64(). */
|
|
|
|
|
|
|
|
#undef DEF_NBD_READ_N
|
|
|
|
|
2017-10-27 13:40:35 +03:00
|
|
|
static inline bool nbd_reply_is_simple(NBDReply *reply)
|
|
|
|
{
|
|
|
|
return reply->magic == NBD_SIMPLE_REPLY_MAGIC;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline bool nbd_reply_is_structured(NBDReply *reply)
|
|
|
|
{
|
|
|
|
return reply->magic == NBD_STRUCTURED_REPLY_MAGIC;
|
|
|
|
}
|
|
|
|
|
2017-10-27 13:40:37 +03:00
|
|
|
const char *nbd_reply_type_lookup(uint16_t type);
|
2018-11-02 18:11:51 +03:00
|
|
|
const char *nbd_opt_lookup(uint32_t opt);
|
|
|
|
const char *nbd_rep_lookup(uint32_t rep);
|
|
|
|
const char *nbd_info_lookup(uint16_t info);
|
|
|
|
const char *nbd_cmd_lookup(uint16_t info);
|
|
|
|
const char *nbd_err_lookup(int err);
|
2017-10-27 13:40:37 +03:00
|
|
|
|
2008-05-28 01:13:40 +04:00
|
|
|
#endif
|